Login failed using Samsung "3rd Party" app?

[fc7 123]

Is the 3rd party app still working for you guys?

 

It was working just fine for me since always but I didn't use it for a couple of weeks and now I just can't login from the app (the username and password was saved in the app).

Same username and password is working from Firefox. Is it possible that a change in 4.0.2 could broke login from this app?

 

iOS and browser works just fine.

 

From the log:

2019-03-08 22:06:14.129 Info HttpServer: HTTP POST http://192.168.X.X:8096/emby/Users/AuthenticateByName?format=json. UserAgent: Mozilla/5.0 (SmartHub; SMART-TV; U; Linux/SmartTV+2014; Maple2012) AppleWebKit/537.42+ (KHTML, like Gecko) SmartTV Safari/537.42+
2019-03-08 22:06:14.131 Info HttpClient: POST https://connect.emby.media/service/user/authenticate
2019-03-08 22:06:14.759 Info UserManager: Authentication request for <user> has been denied.
2019-03-08 22:06:14.760 Warn HttpServer: AUTH-ERROR: 192.168.X.X - Invalid user or password entered.
2019-03-08 22:06:14.760 Error HttpServer: Invalid user or password entered.
2019-03-08 22:06:14.760 Info HttpServer: HTTP Response 401 to 192.168.X.X. Time: 632ms. http://192.168.X.X:8096/emby/Users/AuthenticateByName?format=json

Since the official app is not available in Europe if this stopped working I will not be able to user Emby with my TV anymore.

 

[fc7 123]

BTW I noticed that only if I try to login from the Samsung 3rd party app Emby for some reason is calling home:

POST https://connect.emby.media/service/user/authenticate

to authenticate the user??

 

If I login using the browser this is not happening.

[FrostByte 5049]

I was just using v2.2.4 last night for testing.  I'm running the latest beta server.  There seemed to be a long pause right after the splash screen popped up though, which is probably while it's logging on. 

 

My userid also has no password so maybe that could make a difference too

Edited March 8, 2019 by FrostByte

[fc7 123]

I was just using v2.2.4 last night for testing.  I'm running the latest beta server.

 

Thanks I will reinstall it just in case and try again.

[FrostByte 5049]

Oh, I just modified my reply to say that my user has no password and is set to remember.  It logs on automatically, but there seems to be a long pause during the ss

Edited March 8, 2019 by FrostByte

[fc7 123]

Ok. I reinstalled the app using the latest source code from Github and I can confirm that login is broken in the following scenario:

• Logins are NOT using Emby Connect (only local users).
• Logins ARE using passwords (or PINs).
• Emby Server version 4.0.2.
• Samsung 3rd party app 2.2.4a (master branch from Github).

 

After doing some debbuging including network traces and app code review these are my findings:

 

• Something changed in the latest Emby Server version (4.0.2) and now for authentication instead of using the JSON keys "Username" and "Password" the server seems to be expecting that the password is passed using the "Pw" key. I was able to confirm this using curl and trying to authenticate passing the user password using both key names. Using "Password" key, login always failed while with "Pw" key it works. I think probably this is the main issue.
   
• Another problem may be the "Authorization" header. Currently the Samsung app is passing the following header:
  

  Authorization: MediaBrowser Client="Samsung TV", Device="Samsung UE55H6500", DeviceId="ZPCM4M3HTU67Q", Version="v2.2.4a", UserId=""
  

  While the webclient for example is passing the following one:
   

  X-Emby-Authorization: MediaBrowser Client="Emby Mobile", Device="Firefox", DeviceId="442d3e17e8a5dde2646ec10e199a0535fbe9605b", Version="4.0.2.0"
  

  The header name is different not sure if this can be also affecting the login. I tried to authenticate with both headers using curl and it seems to work fine.
   

• The password passed by the Samsung app doesn't match what was entered in the login form in the app. In the network trace I can see that in the JSON data the password value seems to be a hash (or something similar) and not the actual user password. Not sure if this is expected or not. Testing with curl login only works using the actual using password, not the value passed by the Samsung app.

@Luke: do you mind looking into this and sharing your thoughts. I can change the Samsung app code to use "Pw" instead of "Password" but I don't want to waste my time if that will not be enough and more things needs to be changed to make the app work with the latest server version.

 

Thanks.

Edited March 30, 2019 by fc7

[Luke 37046]

Yes it looks like the app is out of date with the api regarding the Pw field, so that should be updated. UserId should also be filled in. @@SamES might be able to address these things pretty quickly. Thanks.

[fc7 123]

Yes it looks like the app is out of date with the api regarding the Pw field, so that should be updated. UserId should also be filled in. @@SamES might be able to address these things pretty quickly. Thanks.

 

Thanks for confirming @@Luke. What about the password not being sent in clear but as a SHA1 hash. Is that expected?

 

I found all the places where the code needs to be changed and I'm willing to change it myself and test it just waiting for confirmation about the above.

 

EDIT: further reviewed the application code and found that the app is sending a SHA1 hash instead of the password in clear text.

Edited March 30, 2019 by fc7

[fc7 123]

Nevermind I checked the API documentation and figured it out.

I managed to patch the application code and now it is working again. Please find below the patch I wrote:

diff --git a/app/javascript/Main.js b/app/javascript/Main.js
index 648c062..83d9f91 100644
--- a/app/javascript/Main.js
+++ b/app/javascript/Main.js
@@ -4,7 +4,7 @@ var tvKey = new Common.API.TVKeyValue();
        
 var Main =
 {
-               version : "v2.2.4a",
+               version : "v2.2.4b",
                requiredServerVersion : "3.0.5211",
                requiredDevServerVersion : "3.0.5507.2131",
                
diff --git a/app/javascript/Server.js b/app/javascript/Server.js
index 0d7aed6..f12ee1a 100644
--- a/app/javascript/Server.js
+++ b/app/javascript/Server.js
@@ -229,9 +229,9 @@ Server.getStreamUrl = function(itemId,mediaSourceId){
 
 Server.setRequestHeaders = function (xmlHttp,UserId) {
        if (this.UserID == null) {
-               xmlHttp.setRequestHeader("Authorization", "MediaBrowser Client=\"Samsung TV\", Device=\""+this.Device+"\", DeviceId=\""+this.DeviceID+"\", Version=\""+Main.getVersion()+"\", UserId=\""+UserId+"\"");
+               xmlHttp.setRequestHeader("X-Emby-Authorization", "MediaBrowser Client=\"Samsung TV\", Device=\""+this.Device+"\", DeviceId=\""+this.DeviceID+"\", Version=\""+Main.getVersion()+"\", UserId=\""+UserId+"\"");
        } else {
-               xmlHttp.setRequestHeader("Authorization", "MediaBrowser Client=\"Samsung TV\", Device=\""+this.Device+"\", DeviceId=\""+this.DeviceID+"\", Version=\""+Main.getVersion()+"\", UserId=\""+this.UserID+"\"");
+               xmlHttp.setRequestHeader("X-Emby-Authorization", "MediaBrowser Client=\"Samsung TV\", Device=\""+this.Device+"\", DeviceId=\""+this.DeviceID+"\", Version=\""+Main.getVersion()+"\", UserId=\""+this.UserID+"\"");
                if (this.AuthenticationToken != null) {
                        xmlHttp.setRequestHeader("X-MediaBrowser-Token", this.AuthenticationToken);             
                }
@@ -554,7 +554,7 @@ Server.testConnectionSettings = function (server,fromFile) {
 
 Server.Authenticate = function(UserId, UserName, Password) {
        var url = Server.getServerAddr() + "/Users/AuthenticateByName?format=json";
-    var params =  JSON.stringify({"Username":UserName,"Password":Password});
+    var params =  JSON.stringify({"Username":UserName,"Pw":Password});
     
     var xmlHttp = new XMLHttpRequest();        
     xmlHttp.open( "POST", url , false ); //Authenticate must be false - need response before continuing!
@@ -617,4 +617,4 @@ Server.getContent = function(url) {
                GuiUsers.start(true);
                return null;
        }
-}
\ No newline at end of file
+}
diff --git a/config.xml b/config.xml
index 877fd74..975d796 100644
--- a/config.xml
+++ b/config.xml
@@ -9,7 +9,7 @@
        <BigListIcon itemtype="string">icon/MB3_95_78.png</BigListIcon>
        <category itemtype="Video">Videos</category>
        <autoUpdate itemtype="boolean">n</autoUpdate>
-       <ver itemtype="string">2.2.4a</ver>
+       <ver itemtype="string">2.2.4b</ver>
        <mgrver itemtype="string"/>
        <fullwidget itemtype="boolean">y</fullwidget>
        <type itemtype="string">user</type>
@@ -28,4 +28,4 @@
                <link itemtype="string">emby.media</link>
                <organization itemtype="string"/>
        </author>
-</widget>
\ No newline at end of file
+</widget>
diff --git a/app/javascript/Gui/GuiUsers.js b/app/javascript/Gui/GuiUsers.js
index e998f5f..963f996 100644
--- a/app/javascript/Gui/GuiUsers.js
+++ b/app/javascript/Gui/GuiUsers.js
@@ -174,14 +174,13 @@ GuiUsers.processSelectedUser = function () {
                        document.getElementById("GuiUsers").focus();
                        new GuiUsers_Input("guiUsers_Password");
                } else {
-                       var pwdSHA1 = Sha1.hash("",true);
-                       var authenticateSuccess = Server.Authenticate(this.UserData[this.selectedUser].Id, this.UserData[this.selectedUser].Name, pwdSHA1);             
+                       var authenticateSuccess = Server.Authenticate(this.UserData[this.selectedUser].Id, this.UserData[this.selectedUser].Name, password);
                        if (authenticateSuccess) {
                                //Reset GUI to as new - Not Required as it already is!!
                                //Hide loading
                                document.getElementById("guiLoading").style.visibility = "hidden";
                                //Add Username & Password to DB
-                               File.addUser(this.UserData[this.selectedUser].Id,this.UserData[this.selectedUser].Name,pwdSHA1,this.rememberPassword);
+                               File.addUser(this.UserData[this.selectedUser].Id,this.UserData[this.selectedUser].Name,password,this.rememberPassword);
                                //Change Focus and call function in GuiMain to initiate the page!
                                GuiMainMenu.start();
                        } else {
@@ -379,15 +378,14 @@ var GuiUsers_Input  = function(id) {
 
 //Run from IME if user has password - Run in GuiUsers for ease of access to class variables
 GuiUsers.IMEAuthenticate = function(password) {
-    var pwdSHA1 = Sha1.hash(password,true);
-       var authenticateSuccess = Server.Authenticate(this.UserData[this.selectedUser].Id, this.UserData[this.selectedUser].Name, pwdSHA1);             
+       var authenticateSuccess = Server.Authenticate(this.UserData[this.selectedUser].Id, this.UserData[this.selectedUser].Name, password);
        if (authenticateSuccess) {
                //Reset GUI to as new!
                document.getElementById("guiUsers_pwd").style.visibility="hidden";
 
                //Add Username & Password to DB - Save password only if rememberPassword = true
                if (this.rememberPassword == true) {
-                       File.addUser(this.UserData[this.selectedUser].Id,this.UserData[this.selectedUser].Name,pwdSHA1,this.rememberPassword);
+                       File.addUser(this.UserData[this.selectedUser].Id,this.UserData[this.selectedUser].Name,password,this.rememberPassword);
                } else {
                        File.addUser(this.UserData[this.selectedUser].Id,this.UserData[this.selectedUser].Name,"",this.rememberPassword);
                }
@@ -468,4 +466,4 @@ GuiUsers.keyDownPassword = function() {
                                alert("Unhandled key");
                                break;
                }
-       };
\ No newline at end of file
+       };
diff --git a/app/javascript/Gui/GuiUsers_Manual.js b/app/javascript/Gui/GuiUsers_Manual.js
index 7980e12..807c85c 100644
--- a/app/javascript/Gui/GuiUsers_Manual.js
+++ b/app/javascript/Gui/GuiUsers_Manual.js
@@ -33,8 +33,7 @@ GuiUsers_Manual.start = function() {
 }
 
 GuiUsers_Manual.IMEAuthenticate = function(user, password) {
-    var pwdSHA1 = Sha1.hash(password,true);
-    var authenticateSuccess = Server.Authenticate(null, user, pwdSHA1);                
+    var authenticateSuccess = Server.Authenticate(null, user, password);
     if (authenticateSuccess) {         
        document.getElementById("NoKeyInput").focus();
        
@@ -53,7 +52,7 @@ GuiUsers_Manual.IMEAuthenticate = function(user, password) {
                        alert("Need to add the user to the DB");
                        //Add Username & Password to DB - Save password only if rememberPassword = true
                        if (this.rememberPassword == true) {
-                               File.addUser(Server.UserID,user,pwdSHA1,this.rememberPassword);
+                               File.addUser(Server.UserID,user,password,this.rememberPassword);
                        } else {
                                File.addUser(Server.UserID,user,"",this.rememberPassword);
                        }
@@ -204,4 +203,4 @@ GuiUsers_Manual.keyDownPassword = function() {
                        alert("Unhandled key");
                        break;
        }
-};
\ No newline at end of file
+};

[fc7 123]

Also in case someone wants to install the patched version of the app to fix the login issue please find the package file attached.

You can install it by side loading it or using the web server method.

Emby_2.2.4.3_Europe_20190330.zip

[SamES 890]

Yes it looks like the app is out of date with the api regarding the Pw field, so that should be updated. UserId should also be filled in. @@SamES might be able to address these things pretty quickly. Thanks.

 

 

So I'm actually having a problem reproducing this.  With the same app version, I'm connecting using the password field (not pw) and it works fine without any app changes.  Am I missing something here?

 

@@Luke, does this actually need a change?  Will legacy support for the 'Password' field be removed at some stage?

2019-06-16 22:57:38.291 Info HttpServer: HTTP POST http://192.168.1.222:8096/emby/Users/AuthenticateByName?format=json. UserAgent: Mozilla/5.0 (SmartHub; SMART-TV; U; Linux/SmartTV+2015; Maple2012) AppleWebKit/537.42+ (KHTML, like Gecko) SmartTV Safari/537.42+
2019-06-16 22:57:38.358 Info UserManager: Authentication request for Mark has succeeded.
2019-06-16 22:57:38.361 Info SessionManager: Creating new access token for user 3
2019-06-16 22:57:38.366 Info HttpServer: HTTP Response 200 to 192.168.1.85. Time: 75ms. http://192.168.1.222:8096/emby/Users/AuthenticateByName?format=json

Edited June 16, 2019 by SamES

[Luke 37046]

@@SamES please just update it to match the web app/theater. Thanks.

[SamES 890]

@@SamES please just update it to match the web app/theater. Thanks.

 

 

No problem, will do.